• WAF指纹探测及识别技术<freebuf>


    Web应用防护系统(也称:网站应用级入侵防御系统。英文:Web Application Firewall,简称: WAF)。利用国际上公认的一种说法:Web应用防火墙是通过执行一系列针对HTTP/HTTPS的安全策略来专门为Web应用提供保护的一款产品。本文介绍了常见的WAF指纹识别的一些技术,详见如下:

    WAF指纹

     


    Cookie值

    Citrix Netscaler

    “Citrix Netscaler”会在HTTP返回头部Cookie位置加入“ns_af”的值,可以以此判断为Citrix Netscaler的WAF,国内此类WAF很少(这货居然是searchsecurity认定的2013最好的防火墙)。

    一个恶意的请求示例:

    GET / HTTP/1.1
    Host: target.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: ASPSESSIONIDAQQSDCSC=HGJHINLDNMNFHABGPPBNGFKC; ns_af=31+LrS3EeEOBbxBV7AWDFIEhrn8A000;ns_af_.target.br_%2F_wat=QVNQU0VTU0lPTklEQVFRU0RDU0Nf?6IgJizHRbTRNuNoOpbBOiKRET2gA&
    Connection: keep-alive
    Cache-Control: max-age=0

    F5 BIG IP ASM

    F5 BiG IP ASM会在Cookie中加入“TS+随机字符串”的Cookie信息,一个非恶意的请求如下:
    GET / HTTP/1.1
    Host: www.target.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Cookie: target_cem_tl=40FC2190D3B2D4E60AB22C0F9EF155D5; s_fid=77F8544DA30373AC-31AE8C79E13D7394; s_vnum=1388516400627%26vn%3D1; s_nr=1385938565978-New; s_nr2=1385938565979-New; s_lv=1385938565980; s_vi=[CS]v1|294DCEC0051D2761-40000143E003E9DC[CE]; fe_typo_user=7a64cc46ca253f9889675f9b9b79eb66; TSe3b54b=36f2896d9de8a61cf27aea24f35f8ee1abd1a43de557a25c529fe828; TS65374d=041365b3e678cba0e338668580430c26abd1a43de557a25c529fe8285a5ab5a8e5d0f299
    Connection: keep-alive
    Cache-Control: max-age=0

    HTTP响应

    Mod_Security

    Mod_Security是为Apache设计的开源Web防护模块,一个恶意的请求Mod_Security会在响应头返回“406 Not acceptable”的信息。

    请求:

    GET /<script>alert(1);</script>HTTP/1.1
    Host: www.target.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    响应:
    HTTP/1.1 406 Not Acceptable
    Date: Thu, 05 Dec 2013 03:33:03 GMT
    Server: Apache
    Content-Length: 226
    Keep-Alive: timeout=10, max=30
    Connection: Keep-Alive
    Content-Type: text/html; charset=iso-8859-1
    <head><title>Not Acceptable!</title></head><body><h1>Not Acceptable!</h1><p>An appropriate representation of the requested resource could not be found on this server. This error was generated by Mod_Security.</p></body></html>

    WebKnight

    WebKnight是用来设计在IIS下面使用的WAF设备,较为常见。WebKnight会对恶意的请求返回“999 No Hacking”的信息。

    请求:

    GET /?PageID=99<script>alert(1);</script>HTTP/1.1
    Host: www.aqtronix.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    响应:
    HTTP/1.1 999 No Hacking
    Server: WWW Server/1.1
    Date: Thu, 05 Dec 2013 03:14:23 GMT
    Content-Type: text/html; charset=windows-1252
    Content-Length: 1160
    Pragma: no-cache
    Cache-control: no-cache
    Expires: Thu, 05 Dec 2013 03:14:23 GMT

    F5 BIG IP

    F5 BIG IP会对恶意请求返回“419 Unknown”的信息,如下:

    GET /<script> HTTP/1.0
    HTTP/1.1 419 Unknown
    Cache-Control: no-cache
    Content-Type: text/html; charset=iso-8859-15
    Pragma: no-cache
    Content-Length: 8140
    Date: Mon, 25 Nov 2013 15:22:44 GMT
    Connection: keep-alive
    Vary: Accept-Encoding

    dotDefender

    dotDefender用来防护.net的程序,也比较出名,会对恶意请求返回“dotDefender Blocked Your Request”的信息。

    请求:

    GET /---HTTP/1.1
    Host: www.acc.com
    User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Connection: keep-alive
    Cache-Control: max-age=0

    响应:

    HTTP/1.1 200 OK
    Cache-Control: no-cache
    Content-Type: text/html
    Vary: Accept-Encoding
    Server: Microsoft-IIS/7.5
    X-Powered-By: ASP.NET
    Date: Thu, 05 Dec 2013 03:40:14 GMT
    Content-Length: 2616
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Frameset//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-frameset.dtd"><htmlxmlns="http://www.w3.org/1999/xhtml"><head><title>dotDefender Blocked Your Request</title>

    ……

    特定资源文件

    部分特定WAF在返回的告警页面含特定的CSS或者JS文件,可以作为判断的依据,这类情况在WAF类里比较少,实际也可以归并到HTTP响应中。

    看2个样例:

    <html><bodystyle="margin:0; padding:0"><center><iframewidth="100%"align="center"height="870"frameborder="0"scrolling="no"src="http://safe.webscan.360.cn/stopattack.html"></iframe></center></body></html>
    HTTP/1.1 405 Not Allowed
    Server: ASERVER/1.2.9-3
    Date: Fri, 27 Dec 2013 14:15:14 GMT
    Content-Type: text/html
    Connection: keep-alive
    X-Powered-By-Anquanbao: MISS from uni-tj-ky-sb3
    Content-Length: 7188
    <divclass="wrapper"><divclass="titlelogo"></div><divclass="err_tips">由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断。</div><divclass="feedback"><formaction="http://report.anquanbao.com/api.php"method="post"><inputtype="hidden"name="black_code"value=""class="hidden_rule_id"/><inputtype="hidden"name="deny_time"value=""class="hidden_intercept_time"/><inputtype="hidden"name="server_id"value=""class="hidden_server_title"/><inputtype="hidden"name="deny_url"value=""class="deny_url"/><inputtype="submit"class="submit_img"value=""/></form></div><divclass="detailcontent"><divclass="detailupimg"><ahref="javascript:;">站长点击查看详情</a></div><divclass="detaildownimg "><ahref="javascript:;">站长点击查看详情</a></div><divclass="hiddeninfo">
    规则ID:<spanclass="rule_id">10384</span><spanstyle="margin-left:20px">拦截时间:</span><spanclass="intercept_time">2013/12/27 22:15:14</span><divclass="hiddeninfosecond"><spanstyle="padding-top:20px">ServerName:</span><spanclass="server_title"style="padding-top:20px">uni-tj-ky-sb3/1.2.9-3</span></div><divclass="hiddeninfothird">

    WAF识别工具


    一些WAF可以自定义返回的消息内容,或者全部返回自定义的404页面或200页面,有一些工具会协助作为WAF设备的识别。

    Wafw00f

    用python编写的一个小工具,开源地址:

    http://code.google.com/p/waffit/source/browse/trunk/wafw00f.py

    Wafw00f用来判断WAF设备的函数如下:

       AdminFolder = '/Admin_Files/'
        xssstring = '<script>alert(1)</script>'
        dirtravstring = '../../../../etc/passwd'
        cleanhtmlstring = '<invalid>hello'
        isaservermatch = 'Forbidden ( The server denied the specified Uniform Resource Locator (URL). Contact the server administrator.  )'

    使用“python wafw00f.py -h”可以查看工具的使用方法,运行示例:

    python wafw00f.py http://www.victim.org/

    基于Cookie的检测

    Wafw00f的探测大部分是基于Cookie的检测。

    F5asm的检测规则如下:

    def isf5asm(self):
            # credit goes to W3AF
            return self.matchcookie('^TS[a-zA-Z0-9]{3,6}=')

    基于响应头的检测

    Profense在响应头会包含'server','profense'的信息。

        def isprofense(self):
            """
            Checks for server headers containing "profense"
            """
            return self.matchheader(('server','profense'))

    sqlmap

    Sqlmap是一款检测和利用SQLi漏洞工具,也是基于python编写,业内认同率较高,sqlmap用来探测WAF类型想比较Wafw00f来说还多一些。

    参考:

    https://github.com/sqlmapproject/sqlmap/tree/master/waf

    Sqlmap用来探测每种WAF设备都是一个python文件,同样是从cookie信息或者返回头信息进行判断。

    以Mod_Security为例

    #!/usr/bin/env python
     
    """
    Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
    See the file 'doc/COPYING' for copying permission
    """
     
    import re
     
    from lib.core.enums import HTTP_HEADER
    from lib.core.settings import WAF_ATTACK_VECTORS
     
    __product__ = "ModSecurity: Open Source Web Application Firewall (Trustwave)"
     
    def detect(get_page):
        retval = False
     
        for vector in WAF_ATTACK_VECTORS:
            page, headers, code = get_page(get=vector)
            retval = code == 501 and re.search(r"Reference #[0-9A-Fa-f.]+", page, re.I) is None
            retval |= re.search(r"Mod_Security|NOYB", headers.get(HTTP_HEADER.SERVER, ""), re.I) is not None
            if retval:
                break
        return retval

    Sqlmap用来探测WAF的命令如下:

    python sqlmap.py -u “http://www.victim.org/ex.php?id=1” --identify-waf

    貌似必须是或自己修改的类似动态参数才能使用。

    xenoitx

    检测和利用XSS漏洞的神器,WAF检测也是其中的功能之一。

  • 相关阅读:
    台式机+笔记本的扩展模式+远程登录设置
    Hadoop 集群搭建以及脚本撰写
    Python 入门学习(三)
    1056 Mice and Rice
    1057 Stack
    1058 A+B in Hogwarts
    1059 Prime Factors
    使用熔断器仪表盘监控
    使用熔断器防止服务雪崩
    创建服务消费者(Feign)
  • 原文地址:https://www.cnblogs.com/demonspider/p/3500439.html
Copyright © 2020-2023  润新知